My name is Sean Regan. I'm the Provider Development Manager for Apple. And joining me today is going to be John Poynor, Senior Technical Service Consultant. He works with me in our group in education, and Andre LeBranche, he is going to be our demo guy. We're going to talk about moving the Snow Leopard Server.

How many of you are here for the very first time? Oh good, welcome, welcome to our little fun week. So, how many of you upgraded last year successfully?

Define success, fair enough. Upgrading from Tiger to Leopard, did the LDAP database, KDC and Password Server upgrade successfully? OK, nuke and pave as an option.

If you went to Eric's session earlier today, you've seen that Apple has done a lot of work in this area and we're very, very proud of this. And so we want to talk about this because upgrading, migrating is never really an error free process, but we worked really, really hard to make it as smooth as we can.

So let's talk about this, what are we going to talk about? Well, we want to talk about preparing our upgrade, right, we want to focus on very critical aspects, some service configurations, Password Server, KDC, wiki blogs, Mail, the usual suspects. There is a guide available, and remember this is in beta. The guide is still in transition as well, and that's available on the site, the upgrading and migration guide that's going to help you in this process.

So, what are we going to talk about? Well, we've got some terminology. We want to get our facts straight. Words are important. Words only matter when they really matter. So we want to talk about some words, get this straight. I want to talk about a quick and dirty backup method. We have some rules of engagement that we want to talk about before we get started, then we're going to focus on an upgrade and then move over and focus on migration.

So start with the terms. The difference between an upgrade and an update, what's the difference, 10.5.6 to 10.5.7 I did an update, that's great. 10.5 to 10.6, I did an upgrade. Make sure you use the proper terms, doesn't always happen. And what about migrate, moving from one system to another.

How many of you attended Eric's session this morning? OK, so you saw the upgrade assistant, you saw the migration assistant, and these are going to help us in that process and we'll see those today in the demo. What versions do we support? Well, we support upgrading, migrating from 10.4.11 or 10.5.6 or later. Now, what about a nuke and pave, just a clean install, we do have customers that have servers.

They're small business servers, they don't have one or two accounts on them. They have a little bit of data on there. The servers may be used as a web server or a file server or something like that. All the user data-- all the user created data is all backed up, that's great. You can easily recreate the small limited number of users as long as you're not using any sort of access controls, you're fine.

You don't really need to keep anything from the older server. So what about your deployment, what decisions do you have, how many users do you have, what is the sever doing, what's its role, what's its function, which one of these makes the most sense to you, an upgrade or a migration? If you're buying a new server the choice is clear. If you have an old server that you want to keep in place, an older Xserve, maybe you're going to do an in-place upgrade.

What tools are necessary, and let's talk about a little backup procedure. And this is easy, you can try this at home, it's very nice. How many of you back up, how many of you are lying? Thank you!

Aha. So, Xserve can come with 3 drives, right, stick a FireWire drive on it, USB drive on it, whatever you want.

Some nice quick dirty method, we always like to share this with people. Buy another copy of Mac OS X, just want to be legal, install it on the third drive or install it on that FireWire drive. If you don't have physical access to the box, install it on the machine, create a disk image of it, move it over.

Use the same administrator name, same password, turn on ssh, ARD, copy over preferences.plist file, which is what? All the networking information, all the networking information in the machine is in the preferences.plist, that way you don't make any errors. If you're using ssh keys, move the ssh keys over as well. Why? Well, if you need to, what you can do is boot from that third disk. Once you've booted from the third disk, you can create a disk image.

However you want to do it, you can make it read, write, read only, it doesn't matter. Create the disk image and clone the OS X server volume over. Boot back into the OS X server volume and you can set up an rsync script to mount the disk image. You can use hdiutil for that rsync to sync over any of the changes. It's a nice, quick, dirty, clean, easy, backup method. So we decided on an installation method, we backed up our server, but we have some rules.

How many people did this? I only say you have the guts to tell the truth, OK. We've seen them on the list. I upgraded my server and it didn't go well and then my users are yelling at me, what should I do? Update a resume.

So back it up. A lot of us love the fact that Apple makes configuration files easy to edit. Their plist files, we can tweak them, there are myriad of options at UNIX, it's great, we love it. And we get in there and we tweak these systems and you Google for certain aspects. Oh, can I change this, hey what about this key? This key really wasn't known, oh, it's in the developer documentation.

This key does this certain thing. If you have one of those home grown files, when you go to update, those files may be overwritten. It's always a good idea to know which files you've touched, which files you've modified, system library launch, daemons launch, agents configuration files, anything like that that's important to the system. With launchd, system launchd files will be overwritten.

So if you've edited any system launchd files, this isn't in the local library. This is in system library. And if you've heard me talk before, you know that I pushed DNS on people and I think over the years, you've heard it. Steve just talked about it in the last session downstairs with the split DNS server. DNS is the crux of everything.

Make sure that your DNS is working properly, OK. So what about the admin tools? You got them, everybody got the beta. Tiger admin tools won't work with Snow Leopard Server don't use them. Don't try them, tar them up, Zip them up, if you have a Tiger server, use them. If it were up to me I'd say, hey, buy another MacBook and just run those servers, just run those Server Admin tools on MacBook.

What about NetBoot Images? NetBoot Images 10.4 and later will work. If you still have NetBoot Images created with earlier versions of the OS, you're going to have to go and you're going to have to recreate those. At this time, I'd like to bring up Andre LeBranche. Andre is going to give us the coolest working demo.

Okay. So what I'm going to do is switch my video first, there we go.

So this is the first of three demos. I'm going to show you first of all where we're starting from, you know, the Leopard 10.5 server with a bunch of stuff on it. And then the next two demos are going to show you what happens afterwards after an in-place upgrade and then after if you want to do some migration, getting some of that old data back in to a new server. But before I jump in to that, I'm sure a lot of you have seen this before, but I'm just going to show it for those who have not seen it.

Disk utility makes it excruciatingly easy to do backups and restores. You just select your server volume, you want to boot from something else first, not your server. You never want to back up a running OS because there's files that are open and potentially changing and then you might end up with a situation where one of the files changes during the backup and you end up with a backup that's not coherent with itself, and nobody wants that.

So you boot to something else, maybe your installed DVD, select your server's volume, click the new image button, save it some place, now you've got an image of your whole server. To restore that, you just can select another volume or partition and drag your disk image into the source.

Drag your destination target, and the destination, click arrays destination restore, you know, wait a few minutes and then you have a perfect quality backup and restore. You can also clone volumes from one to the other by just dragging the volume and it's the source, and then another volume and it's the destination.

Everybody should do that, it's so easy. There's no reason not to.

And it's also nice to have your old server sitting around in disk image if you have a need to fish out an old config file or, you know, some piece of data or something that maybe didn't migrate or you want to check what the old version was like. So, next I want to show you just a couple of brief things that you want to do on your server before you actually kick off the upgrade. And to do that, I'm just going to sort of show you what's running on the server.

Server Admin, we can see we've got some stuff in here. We've got, you know, an Open Directory Master, we've got, you know, LDAP, Password Server, Kerberos all running. I can sort of verify that by using Workgroup Manager. And I'm just sort of setting the stage for the next demos.

This is not incredibly fantastic and fun to look at. But you see that I've got some, you know, user accounts in here, I've got some group accounts. I've got a mail server. I've got a mail client connected to the mail server. Hey look at that, we've got some messages in here.

Two users, yeah I know it's a spam message, right, my own message. So, I've also got a WebServer and this is version 2.2. I'm going to speak to that in a minute. But I don't have a lot of web content, basically I just have the wiki setup and so I can go to my web site and I can see that I've got, you know, some wiki content here and there's not really much here. This is just sort of a sample, you know.

There are some wiki content, great, OK. So, got all the stuff here, all my server is working. I have DNS set up as well. I'm providing my own DNS for this server. I have a fictitious domain called WWDC and I am server.wwdc. I got my firewall going, I've got, you know, home directory, a network home directory for my users and that kind of stuff. A couple of other services running. I'm pretty much just focusing on mail and web for these three demos so that's why I showed you those services. And they're all configured for Kerberos so if do a klist-A, lower case a only shows you the current user's credentials.

Capital A shows you all of the credentials in the cache. That's a little terminal command, klist-A. And we can see that I have tickets for two users. I have net user 1 and net user 2 and they have various service tickets for IMAP and mail and all that kind of stuff.

So once again, this is just sort of setting the stage for just proving to you that it's all working properly before we start the upgrade. Why is that important? Well, I've heard in the past people try to use upgrades as a way to fix mysterious problems with their server.

Don't do that, don't do that. It's probably going to have the opposite, you know, effect in what you might be hoping for. So always make sure that everything is working properly before you do the upgrade and you do that just by flipping through your services, maybe look through your logs, try out all the client software and make sure everything is working.

You also want to make sure that you update to the latest version of Mac OS X Server, 10.5.7, run software update for that. Also on the services front, there are a couple of services that have supported in the last two major releases, upgrades to their own data formats and service versions.

Those are the DNS service and the web service. It's very easy to upgrade these by just going to Server Admin, it's like in the DNS service and there will be a button in there that says "hey, upgrade." Well, it doesn't say hey, but just says upgrade. So you click that and then it upgrades your DNS service config files to the newer version. And the same thing for web, you might have Apache1.3 if you have an older server. You need to bring that up to Apache 2.2 before you do the upgrade.

So again, this is just sort of in the process of making sure everything is clean and up to date and the newest it possibly can be before you start your upgrade. Because like in the case of some of these things, it's harder to deal with afterwards so it's good to make sure that everything is going well.

And one final check that we want to do here is just to make sure that our DNS is good, and I know that it is because I set it up and it's my own DNS server. But you can say pseudo change IP, check hostname, and it will come back and tell me "hey, you're an awesome system admin, this DNS is perfect." So I don't want anything to change, there is nothing to change. So that's pretty good. You can also export some service config files from Server Admin.

Now this is an in-place upgrade so we're going to expect that all this stuff gets maintained. But, it's always good to save off a copy of your Server Admin settings because it's so easy to do it, why not. Just go Server Admin, export, service settings, and then it's going to export all of your service settings into a single XML file stashed on USB keychain or something like that, so that you have it for future reference. And also you're going to want to make a backup copy of your SSL Certificates because those need to be reconfigured after the upgrade.

And so you can do that by just basically going in the finder to-- and see certificates. Now these do get preserved when you do an upgrade. But, we have custom SSL Certificates, always have a copy of those somewhere off of your server especially if there-- I mean this case are just self science so they're pretty easy to recreate. But if you paid for it, definitely you know, make a backup copy.

So at this point, my server is running well, I'm pretty happy with it. So, what I would do is then boot on to the DVD. I actually did this last year on stage. It did not work out so well because of the video mirroring and stuff. So I'm not going to show that this year but I would insert the DVD, I would boot from it. And as you may have known, if you've actually tried this yet so far, the installation options are actually quite a bit simpler than they were in previous releases.

There is no clean install or upgrade install or whatever, it's just install, and we'll sort of look at kind of what's happening under the hood afterwards and we'll see what actually happened. But the point is it's much easier to install. It's really hard to mess it up. The only thing you can really customize are the optional packages such as languages and, you know, that sort of thing.

So you can customize it for that. After you do the install, you'll reboot back onto your new system. Server Assistant comes in, it tells you "hey, I found all these whole stuff, upgrading it for you," and then you'll end on your desktop. And that's where I'm going to pick up in the next demo, so I'm going to toss it back to Sean now, thank you.

Thanks, Dre. Alright, let's go and talk about the upgrade process itself while Andre prepares it over there, OK. Upgrade in-place scenarios. Maybe you have a Tiger Local and you're going to upgrade to Snow Leopard so you just have a local database, it's fine. Tiger Master to a Leopard Master, in other words Open Directory or a Leopard Advanced setup, right, which it could be events, could not be an Open Directory. Maybe you're just setting up as a file server or something else to Snow Leopard.

So the in-place upgrade, boot off the DVD as Andre said. We need to meet the specified required hardware, it's Intel only. Have the ready-to-go backup if things go awry and then reboot the server, right. So, what about a live upgrade scenario? Upgrade the Master first, then you can if you wish to upgrade each replica. Test with some clients, test with some more clients then get your groove on. But, isn't a replica it's just a clone of your Open Directory Master? So you can go through the upgrade process but you can also just do a nuke and pave.

It's up to you, you can decide. Essentially when you upgrade the replica, it's paving a little bit of the information inside the Open Directory architecture anyway, but it's up to you. So what about a nuke and pave-- Open Directory? We can archive using Server Admin, back up other configuration files, Directory Service Apples are one.

In certain cases inside server-- or inside Workgroup Manager rather, if you've set limited Server Admin or you've done any sort of directory service access control list, those may not be preserved if you do an Open Directory archive. You may want to pull those off by hand. Perform a clean install of Snow Leopard Server, update to taste, promote to an Open Directory Master and you can use Server Admin to bring that Open Directory archive back in. You get an option button that will say merge.

You can choose to merge and things should go well. So, what about server services? As Dre showed you, you have a way that you can export all the plists for all the services. Sometimes we like to customize these again because Mac OS X is an open architecture built on UNIX, we have a lot of configuration files that we can tweak.

For example the smb.configuration file. A lot of us who run SMB on our servers, there are a lot of parameters that Apple doesn't put in there that I know a lot of you use. You want to make sure that you save that file off, back that file up and compare the new file in 10.6 to yours because you may want to copy in those configuration settings again, OK. What about Directory Services? LDAP and Kerberos and Binding, well, we can use the slaptest command to note any changes if you've gone and edited your schema.

And this is important, if you've gone out there, you've made some changes, run the slaptest command, it's right up there, OK. It's also documented very, very well in the main pages. Alright, what it basically does is convert the configuration to a config container inside the LDAP directory so you can see it.

Same thing to Workgroup Manager with the inspector, you can use dscl, pop into the config container inside your LDAP directory and take a look at some of the schema changes that you have. And if you're doing a Tiger to Snow upgrade and you have some legacy groups, you can upgrade those, computer lists to computer groups to computer lists. If you're upgrading from an older server and you didn't have GUIDs associated with these machines, you now get to take advantage of that.

And if you bound, unbind, upgrade, rebind, OK, don't try and do it all at once. The superman theory is not going to play too well, OK. Keep in mind that the bound clients when you're binding to another directory system whether it's Active directory or Open Directory, creates a file inside the local config container and the file was used to create the edu.mit.Kerberos file.

If you're going to do this manually, rip them both out. Take the edu.mit.Kerberos file out, take that file inside the local config container inside DS local default-- DS local defaults nodes-- nodes default. Sorry. And what about DNS? Again, Dre talked about this. If you've made some changes in the DNS, you will get an upgrade button, it's right there. And if you have print queues, you want to export those settings, command line is just fine, and reimport those settings for your print queues, OK. Now that the server's been churning away up here, I'm going to bring Dre back up.

He's going to give us an upgrade demo, and this one's gonna work too.

So you're all thinking to yourself, how did you do an upgrade that fast? I can't tell you, sorry. So here we are in 10.6 server. Let me see that it says 10.6, fantastic. And so basically, this was an in-place upgrade from the server that I just showed you. Of course this is not-- I didn't do it in real time.

This is kind of the pre-baked, you know, cooking show version. But it's the same thing, I swear. So what we're going to do is just kind of take a look and see what happened, what do we get. So, we'll start in Server Admin and we can see a bunch of green bullets, that's pretty good except for mail.

Now it is actually documented that mail does not start after an in-place upgrade and we'll get into that in a second. But Open Directory is running, we got our Kerberos and stuff all working. I could fire up Workgroup Manager and see that my network users and groups are all preserved.

I authenticated using my directory administrator which you can see here, which means that, you know, at a fundamental level, the open LDAP stuff is in good shape, password service is in good shape as well. So we could take a look for example to make sure that our DNS is correct by doing the same thing we did before, check hostname, and it's going to come back and say once again, yes, everything is fine. So DNS worked, Open Directory worked, firewall is looking pretty good. I got some active rules in here, AFP, iChat, mail. So now let's take a look at some of the issues that you might run into.

Anyone who has upgraded a server knows that maybe it doesn't always work exactly right for everything every single time. So what I'm going to do is kind of walk you through the process of triage and then fixing sort of what actually is wrong. So we'll start with the mail service. It's not actually running. Now it is documented that it's not running, but what I want to show you here is the console utility. There is a log that is created in library logs, it's called set up log, set up that log.

And this log basically contains all the information that came out of Server Assistant, yeah, when it was sort of upgrading and migrating all your stuff. The thing I want to show you is up at the top. And see here, I don't know if you can read that but it says starting migration extras with arguments. And the source root is /previous system. Well, what's that all about? You didn't have a previous system.

Well, during the in-place upgrade, what happens is the installer basically takes all of your important service data and configuration files, stashes them in previous system. And then when all that's finished, the Server Assistant when you, you know, before you get to your desktop, it will just go through and run all the migration scripts that are in like system library, you now, well, there is a path through it right up there, the migration extras. And it will run all these and it's going to pull from the previous system as your old system basically and then the target root is / which just means the current system.

You can see source version is 10.5.7 as well. And so basically, this is just sort of a play by play of all these migration scripts. I'm not going to drag you through all that now, but I do want to look at the mail migration log because this is kind of a key 1. Mail is pretty complicated, it's not just one service, right? You've got IMAP, you know, SMTP, pop, you got mail, mailing lists, and you know, web mails and it's kind of a lot of stuff.

So the mail migration log is kind of a good clearing house for finding out how this actually worked, or in this case, if it actually worked. So, I can look here and see that uh-oh error: missing cyrus database, previous system var/imap. That's my mail store, that's where all my messages are.

So, the post config stuff, post conf, that all might be there. But if I don't have mail, that's kind of bad. So this is a good time to remind everybody that this is not GM software. But I am going to show you how we fix this. Basically, the upgrade or script just looked in previous system for my MailStore, it wasn't there.

So what I can do is just take my MailStore, put it in previous system, and run the upgrade script again, so that's what I'm going to do. And I'm going to go to my little USB thumb drive here, have a little scripts folder, and I'm going to start it and then I'm going to explain it because it takes a second or two to run. Let's see.

[Inaudible] scripts, store. So this is just a tiny little shell script and really, I'm not doing anything special here. All I'm doing is I'm taking a backup that I had at my MailStore which was not found in previous system, but I should also point out that it is actually still on my current server.

So my Leopard Server mail stuff is actually sitting at least the MailStore portion. It's actually sitting in exact same spot that it was in, so it's not like gone or anything. But I had created a backup of that previously. There are 2 folders, var/imap and var/spool/imap. Those are actually called out in the documentation.

And so you can back those up and then what I'm doing in the script is just simply-- I think I almost took a screenshot there. What I'm doing is just restoring these on top of previous system using xar in this case, and to make sure permissions are correct.

But really all I'm doing here is running this migration script which is the same script that gets run when you do an in-place upgrade. So you might be thinking, well what's the difference between an in-place upgrade and a migration? Well, actually there's not that much of a difference and we're going to kind of see more of that in the next demo.

But for now I'm just running the same migration script as I did before, or that was run by the server automatically. I'm targeting previous system as my target root. And this script is going to take, you know, a couple of minutes to run. So while that's happening, I'm going to switch over to mail and take a look at mail.

So back in Server Admin, I see-- I said mail, I meant web. I'm going to take a look at the web service. I see that the bullet is green so that means it's all working, right, end of demo, thank you very much. You don't believe me? Well, let's take a look, uh-oh, that's not so reassuring, start time not available, version not available. So many of you may have been in this situation before where Server Admin gives you green light but maybe something is not actually correct. So, fortunately this is a documented issue.

I'm just kind of taking you all the way around the block here. So we're going to look in our logs and I'm going to pull my all messages log here which is like my console log. And what do we see here? We see a bunch of stuff, but intermixed with all the other stuff we see Apache starting and stopping and starting and stopping and starting and stopping, it's not good. So we want to know why that's happening. We're going to look at the Apache error log.

So here comes var log, apache2 error log, and sure enough, server should be SSL aware but has no certificate configured. And if you have read the upgrading and migrating document, which of course you will, you will know that you will have to reconfigure your SSL certificates after an update. That's why this is not working. SSL is not reconfigured.

So I'm going to pop back in the Server Admin. I'm going to go to certificates, I'm going to delete this old one, and confirm that and then I'm going to import the certificate from my backup that I had created previously. I didn't show you creating the backup, but again it's all stashed in [inaudible] certificates, dragging my key file, dragging my cert file, import that.

So now we've imported sort of at the system keychain level, and now we need to actually reconfigure it for the service as well. So I'll go into web sites and grab my secure site, and have to re-pick my certificate there and save that. And then it will give me the option to restart the web server which of course I do need to do.

And as that is happening, I'm going to fire up my browser and I'm going to get my server's web site. That's server.wwdc. Now I type so fast that the web server has not actually started yet, but it will be started very shortly, I can assure you. So while we're waiting for that, let's take a look back at my mail migration script. Well, the script finished. Here I am back at my shell, and we see a couple of errors in there. Well, that's kind of expected, right, because the script already ran once and did a bunch of stuff. We're just kind of picking up the pieces.

So, all the stuff that it got the first time is not going to get this time because it's not there anymore like, you know, postfix config files and such. But we do want to make sure that our MailStore got migrated, so we can take a look at the same log we looked at before which is the mail migration log.

And you know, we can scroll around in here, but really this part of it, if you know anything about IMAP mail stores, that's your mail store right there. So the MailStore was found by the script because I put it in previous system where it wasn't before. The script saw it, grabbed it, did what it needs to do, now it's in DOVEcot format.

And so, we should be pretty good to go on the mail server side.

Let's pop back over to our web site here which is finished loading. I'll click my wiki and I see my grouping here, and here is my wiki content that I had before. Now, one thing you might notice, well, you probably wouldn't notice it because I didn't call it out before but this was supposed to be restricted to a group. This is in your Seed notes, that access control entry didn't make it.

So what we need to do is log in as an administrator and we can just edit the settings on the wiki and we'll see kind of what the problem is here. We go to permissions and right here, you can see that it thinks it's supposed to be restricted but there is not actual group or user list here.

So we just kind of type in our username or our group name, select it, and then save these settings and then-- now if I were to log out of the wiki and try to access it again, we would see that I would actually have to log in. There we go, and there is my log in prompt.

Log in as net user, and so there is the wiki just like we left it in Leopard. So I'll switch back to mail. So the mail migration script is finished, we've got all that stuff going, now we need to double check our SSL config in mail as well just like we had to do for Apache, because we had to reimport our SSL Certificates.

So we grab our mail settings, go over settings here, let this load, and those all look pretty much correct. So we're going to go over to advanced and flip this on and we redo our SSL configuration. There we go, and then save that. Theoretically this should do it, but maybe it won't. So we'll see why or why not here.

But I'm going to wait for the spinner because you got to wait for the spinner, there we go. So, I discovered in testing this that about half of the time, there is an error that ends up in a Dovecot config file, and I'll show it to you now. So if I search for SSL_ in the file etc/dovecot/dovecot.conf. Oh good, it happened this time.

What I will see is right up there-- do you see any problems? So that's actually right next to the lights, let me move that down a little bit. So I have my SSL cert file pointing to my WWDC certificate. SSL key file, kind of important, directive is commented out.

So what happens in this case is it tries to use the compiled and default certificate location which is probably for some Linux system or something like-- and it's totally inappropriate for our system. So what we need to do to fix this and again, Server Admin says everything is cool but everything's not cool. So we need to edit that file so we'll sudo.

I'm going to use VI, you can use whatever editor you like, etc/dovecot/dovecot.conf, and we're just going to search for SSL_key and here is the directive right here that is commented out, which means that it's not, it might as well not even be in the file. We need this directive, it's very important. So I'm just going to remove the hash mark. Again, not GM software, hopefully you won't have to do this. But, now I'm ready to start the mail service so I come back over here, click start.

While that's starting up, let me grab my mail client. Almost, try it again. Here comes mail. Now remember, this was an in-place upgrade which means that my client side settings are actually still there, which is basically the stuff in my home directory for the mail client app. So it goes through its little, you now, database upgrade thingy and then it's done.

And then it's going to log in to the service hopefully. Right about now I should get my Kerberos challenge, there it is. So, now I have 2 counts so it's going to prompt me twice. I have 2 counts set up, so I plug in my, you know, credentials there and I can see that my MailStore did actually get migrated properly. There is the one message from the one user and there is the other message from the other user.

I could even, you know, klist-- klist-A, capital A, and I see that, you know, Kerberos stuff is working. So, that gives you sort of a brief idea of some of the techniques that you might need to employ if everything doesn't always just work. Basically you start with pulling in your service configs, look at the upgrade logs if you can, and test it. If it's not working, usually the logs are going to tell you why.

In this case, we actually have some documented issues that are kind of sitting our way too with the SSL Certificates and such. So between the release notes, documentation and you know, the community resources, you can usually figure out what needs to be done. But sometimes it's not all automatic so that kind of gives you a little bit of a sample of some of the things that might need to be done on an in-place upgrade.

And so with that, I'm going to pass it back to Sean, thank you.

Thank you Andre. At this time, I'm going to ask John Poynor to come up and John is going to talk about migration, John.

Thanks Sean, awesome job Andre.

So, we've covered upgrading. It's been mentioned a couple of times if you're catching it, that the process of upgrading and doing the Automated Migration using the Server Assistant is essentially exactly the same now. And Sean has mentioned it, there has been a lot of work put into it so we certainly hope that as you approach upgrading or migrating to Snow Leopard Server, that you give the Automated Migration a chance.

There has been a lot of voodoo around the upgrading and migrating process. It almost seems if you go through the list and the forums and spend time out there reading about the process of upgrading that people say not to do it. Always do a migration. So, we're going to cover the old way of migrating because people will stick to their tried and trued method and we respect that, so we're definitely going to cover that.

But I want to call out of course the work that's been done in the Automated Migration process, and essentially to do an Automated Migration. And let me back up, so you know, when do you want to migrate versus upgrade? Well, this release of the operating system is unique in that it's Intel only.

Who out here has a power PC server running right now? Yeah, I know. So, I mean migration is pretty much your option. I mean the nice thing is of course what I've been talking about, all the work that's been-- that's gone into the Automated Migration using Server Assistant.

And if you saw the session today, Eric Firestone's session on the new Server Assistant and the Automated Migration process. You understand how that works. In order to do an automated migration, essentially all you need to do is have your old server mounted on the new server as you run through the Setup Assistant.

So I know that that first bullet seems kind of strange, right? Yeah, you want to either boot the old server into target disk mode, or do the disk to disk restoration that Andre kind of demoed there and put it on to a FireWire drive or USB drive if they're not physically close enough that you can target disk mode and plug in a cable.

But have that volume mounted on the system as you go through the Setup Assistant and it's important to note that it needs to be there during the Setup Assistant because you can't go back later and run through this process. You can, but it's basically all by hand using the scripts that Andre has been showing you. And then essentially, as you go into the Setup Assistant, you got that volume mounted.

You come to a screen which will be shown to you here in a second where you have the option to set up your server or transfer information from your previous system. So if you select the option to move information from your previous system, it takes you to another screen where it says pick the volume with your previous system. It will show you any in all volumes that have a supported operating system to upgrade, 10.4.11 or 10.5.6 or later.

You pick your volume, you hit next. In the background, all the scripts are running. It migrates your data in the exact same way that your data is being moved in an in-place upgrade. It's exactly the same. There you go, and of course we'll show you how that works.

Now, if you choose to go the Manual Migration process-- Well, who has been through a Manual Migration process before? OK, this process looks very exactly the same as it did in Leopard Server. I mean it is identical. It's the same steps that you're going to be going through. The tools have changed a little bit.

There is, you know, special note that needs to be made for the services that have changed. For instance mail where we moved to Dovecot instead of the other tools we had before. So, yeah, this is what it looks like, export your information, users groups, authentication information, your services configuration and data files. Move them over to the new server, run all the scripts that have been placed there for you to pull the data in and then set it all up for home directories, verify that your user accounts work, test everything out.

This note is exactly the same as the note as during the upgrade process. You want to do your master first, leave your replicas online so that your clients don't have a service interruption. And then once your master is up, you verify that everything is working. Go ahead and upgrade your replicas and reestablish those replicas.

So exporting settings, you've got kind of the usual suspects as far as tools for exporting your user and group information, service settings, and creating archives of files for, you know, your user data. There is GUI tools, there is command line tools. I'll call out specifically the Open Directory information. If you choose to use Workgroup Manager or the dsexport command which is here, passwords don't come with that.

So when you export your users and groups and reimport them on the new server, you've got to work out some way to get their passwords back whether that be editing the export file to include passwords, or assigning everybody a generic password and forcing them to change on the next log in, my personal favorite.

You've got to work that out. So if you choose instead to do an Open Directory archive using Server Admin, all that information is brought over. You merge that data in and it all works, we hope. Yeah, and then of course for your services settings, you've got the Server Admin GUI which Andre showed you, you've also got the Server Admin command line tool which is your interface to Server Admin. It's exactly the same. Next step, import all your data, and the process looks something like this.

Copy all your archive files that you made in the first two steps over to the new server, reimport the service settings and data. Configure home directories for the user, that structure, bring in all that data, about the service data and the user data. Set it all up, run migration scripts as needed, check permissions and then verify that everything works. Your tools for importing data into Snow Leopard Server are exactly what they look like in Leopard Server.

Workgroup Manager for users and groups, computer lists, Server Admin for services, and then of course if you do the Open Directory archive, Server Admin is your tool for merging that data into the new Open Directory database. And then command line, you got dsimport and serveradmin. When you get to the point in the process that you've imported user information and you've worked out the passwords whether you did the OD archive or imported with Workgroup Manager and set passwords, you want to verify that that works and there are GUI ways to do this.

I've called out the command line ways because as IT administrators, this will save you tons of time over digging around trying to find the Kerberos app. Kadmin.local, the list of principles, kinit to get a service principle for a user, or TGT rather, verify that your Password Server database actually contains the users that you brought over and things should have entries in the Password Server database.

You won't see the passwords but you'll only see the user in plain text in this output, and then you can verify that Password Server authentication works using dscl. Andre already called this out. This is the location where all of the migration extras live. This location hasn't changed either.

This was the same in Leopard as it is in Snow Leopard although the files and the numbering prefix has changed on a lot of them. And their usages is called out regularly in the documentation so it can't be stressed enough that you really need to be following the documentation when you're going through this process.

What services can be migrated? All of them, there they are. I mean there is a couple like LDAP server settings. Yeah, if you have extended your schema or have a custom directory access control lists, that type of stuff can be migrated although by hand but everything can be migrated. The next few slides are a dizzying array of paths to service configuration and data. You don't need to know all these. It's all in the documentation.

Again, we can't stress it enough, follow the documentation, things will go well for you. And with that I'm going to bring Andre up.

So this is the clean-- this is the migration demo, and I'm not going to show you the actual migrate from volume thing, because actually very similar to the in-place upgrade. So I'm going to skip to the clean server and I want to manually migrate some data and service configs from my old server into the new one.

So here I am on a fresh-- freshly installed Snow Leopard Server. Pretty much all that I've done here is just, you know, create the admin account and I flagged a few services here for configuration so that they show up in the list, but I haven't actually configured them yet.

So, I want to bring back mail and web. In order to do that, I need an Open Directory Master because I need my users and groups, and particularly the GUIDs from the users and groups to match what they were before, otherwise the wiki data and stuff won't work right, and mail as well.

So if I need an Open Directory Master, then what service do I have to start with, anybody? DNS, thank you, yes. So I can import the DNS config files but before I do that even, I'm going to start with the SSL Certificates because some of the config files that I'm going to import, I'm going to import them all at once for the different services.

Some of those are going to be referring to my SSL Certificates like my web config and such. So I want to pull in my SSL Certificate first, and again I'm just sort of pulling these in from the backup that I have created. And so there is my SSL cert.

And now I'm ready to pull in my DNS settings and others, so I'm just going to import service settings and navigate to my little USB thumb drive here. Under configs, here is my service data, and this is that one big XML file that's got all those service configs just stacked up inside of it. And I'm not going to get everything just for the sake of brevity here. And in fact I really couldn't import everything.

For example if I try to import my file sharing settings, well there's an amount of stuff that's not going to work yet because I don't have an Open Directory Server yet. So I'm just going to import-- I'm not going to import mail because I'm going to migrate all that stuff manually. I'm not going to import my OD settings or server, but I am going to get web and we'll just pull these other ones off as well because I'm not going to show them. But pretty much just DNS and web, pretty straightforward.

So that comes in. So now I've got a DNS server and let's make sure my zones are in there, and there is my WWDC zone, so now I can start my DNS server. And then I can go and you know, set my DNS client settings because we need those to-- and grab my IP here, just throw that in my DNS server and add my search domain. So now I've got DNS client and server. So we should check our work here, sudo changeip, check hostname.

There we go, nothing to change. So now I'm ready for my Open Directory Master. And before we can restore the archive, we actually have to clone it to a Master. So I'm just going to go through the Open Directory Assistant and choose Open Directory Master. And throw the stuff in here. Now this screen is actually kind of important because if it doesn't suggest to you a good Kerberos realm in LDAP search base based on your actual fully qualified domain name, that is a sign of trouble.

You should check your DNS. But in this case, since I already did that, and this is correct, we will continue. And the Open Directory, any time you change the Open Directory role of a server, you can examine that stuff, the things that are happening there using the console utility and the log-- the relevant log file is library logs slapconfig.log.

I always though that was kind of a funny word, slapconfig. So here it is and it's doing stuff, and so that will be done in just a second but basically it's setting up my, you know, LDAP master, it's setting in my Password Server, setting up a KDC, creating a bunch of service key tabs for all my services, and basically doing a bunch of other stuff that we're going to kind of overwrite here in just a second as I pull in my archive.

So we'll switch back to Server Admin and this is almost done. There we go. So, now I have an Open Directory Master, click the overview tab, I can see my LDAP and Password Server the Kerberos stuff is running. That's awesome, so now I go to my archive that I created previously and I'm going to restore that. So I choose from my USB thumb drive, from the data directory, my Leopard Open Directory back up and I restore that, supply the password.

You also get the chance to merge or overwrite, so if you have a bunch of records that you didn't want to lose, you could merge. I'm just going to merge, it doesn't really matter because I really don't have a whole lot of stuff in this Open Directory Master because I just created it. So we're going to restore the backup and this is actually pretty quick. So here comes the Open Directory stuff and now we can verify this by firing up Workgroup Manager and just logging in.

And once, twice, 3 times, 4 times, this is going to work. There it goes. [Laughter] That's how fast of a typer I am. I was really going for 3 times a charm so I went too fast, I'm sorry. So here are my users and my groups. So my Open Directory restore worked, and of course I logged in with my directory administrator credential, which means my authentication is working as well. So now I have an Open Directory server, I have DNS server, now I can actually start looking at my service configurations. So we'll start with mail and what we're going to do is we're just going to use the migration script that is called out in the documentation.

So I'm just going to kind of go to my other script that I had and just sort of crib from that a little bit. Let's see, scripts, got mail, restore. I'm just going to grab this last line here which actually fires off the upgrade script itself. And sure I got my clipboard contents proper and there, doing this with a track that is quite an adventure, I'm going to tell you. So, I'm going to use this command which is in the documentation. But what I'm not going to do is specify a source of previous system.

Cause I don't have previous system. What I do have is my old server mounted at Volumes/MacintoshHD1. Now remember, finder is going to pull a little smoke and mirrors on you here, and it's going to say, no, they're both called Macintosh HD. Not true, you can't actually, it's illegal. You have to have, you know, unique directory names for all your down points.

So if you have dragged with the same name, go in the terminal or perhaps use the go to folder and find there, just go to /volumes. It's called Volumes/MacintoshHD1. That's what we need to use as our source root, so I'm just going to change that right here, volumes, Macintosh, /macintoshhd1 and that looks all correct.

So let me kick that off and that's going to run. We're going to pull up the mail migration log. We'll do it on time. OK, so that's going to go. And now let's switch to web. So I'd already pulled in my web settings. We need to make sure that the SSL is configured properly.

So we'll go back in and reconfigure my SSL settings because again I had to reimport my SSL certificates, save that. Now we don't have any other document roots like normal web stuff, we just have in this case wiki data so that is all stored in library collaboration. So what we're going to do is just go to library and see here is collaboration and it's empty. There's nothing in there. This is the new one basically.

I'm just going to delete that folder and authenticate. And I happen to have on my little USB keychain, a collaboration.tgg archive or just a use finder to make a compressed archive from my Leopard server. And if you're saying "Oh, I forgot to do that" well you have a backup of your server disk images.

Go in and you know, do it. So I will paste that in and I will decompress it and finally I have to make sure the permissions are correct. They need to be owned by the team server and you can do this in finder if you wanted to as well, but it's _team server, teams, server, user and group library collaboration. OK, so in the case of just the wiki, that's actually all you have to do, kind of neat.

So we'll start the web service and we'll find our browser, and here comes a browser and we'll go to yes server.wwdc. And we get the certificate warning because this is a fresh server. We've never encountered this custom self signed certificate before so we get the warning, we expect that.

We click show certificate and we click the check box to always trust it, and plug in our admin credentials. So then hopefully our server page will load. It's coming, so we'll take a look at the mail script which is not done yet but it's close. Let's see here. Yup, there it is still running, but it's getting close. And I think the web server is done there so we can then go into our wiki, and the wiki part of it is still starting up too.

Apache starts first and then you get team server in the background and that stuff. So then we can log in as my network user and password, and then we see our wiki content, pretty easy to migrate in the case of the wiki data. You just, you know, collect that library collaboration folder. The key though is you need to have the users and group records with the same GUIDs that they had from the backup which we took care of because I reimported my Open Directory archive.

But if you just do something like recreate users and groups with the same names, it's not going to work because the GUIDs are going to be totally different. This is why you want to use either a Workgroup Manager backup and restore, or if you want the passwords to go too, you want to use the Open Directory backup and restore. OK, so let's switch back to mail.

The mail script is finished running. I can flip back over here to my mail migration log and scroll up and see, yes in fact it was able to migrate my MailStore and everything. So the last thing to do at this point is to make sure that mail is configured properly for SSL before we actually start the mail client.

Wait for the spinner, there it is, advanced, use and views, pick my certificate, save that, and we're going to go ahead and check the config file to make sure that it gets written properly. Usually in this case in my experience, it does. But we're going to check anyway.

So waiting for the spinner and let's just graph for SSL_ in etc/dovecot/dovecot.conf. And we see that in this case, in fact it did write these two config entries correctly. We have SSL cert file and SSL key file. Both of those are not commented, they're active, they're pointing to the right cert, which means that this is likely to work.

So now I can flip back over here, start my mail service, and as that's starting up we'll flip over to mail client which I've sort of prefilled a little bit with some of the config data for this account. So when I click continue, I believe it's looking for like MX records and stuff right now. So I'm just going to cancel that and manually continue. I didn't set up any MX records in my DNS server, sorry. So mail exchange records are used for mail.

So net user 1, and we'll say server.wwdc and the user1 and my password. And if all goes well-- and right about now, you should get my Kerberos prompt which we did. And while we're waiting for mail to advance to the SNTP screen, let's go ahead and just look at my Kerberos keys or my Kerberos tickets rather. We see that I got a TGT and I've got an IMAP service ticket for the net user 1 user.

And the next thing we're going to see from mail after it finishes showing this pizza is going to be the SNTP screen. And what we'll see there is, once I plug in my information, that there we go, net user 1, server.wwdc, and we will authenticate here with the same credentials. And as I continue, I've now logged in my accounts created and I'm going to flip back here one more time, do another klist and sure enough we have an SNTP ticket now as well, so that's awesome.

And there is my mail and I even preserved the red status, the message. So that's just kind of a brief whirlwind tour. Normally you go slower than this in a production environment. [Laughter] But you know, for onstage that works out alright, so thank you very much, let me toss you back to John.

So again, let's talk about the replicas. Unless nonstop operation is critical, you can do a clean install of Snow Leopard Server, right, and that become a replica of the new Master. When you're talking about migrating just like John showed you, take the home directory, zip them up, move them over, unzip them, go and have a beer, that would be fine. So depending on the path, where are we? NetInfo, gone.

If you have a Tiger Server and you upgrade it, it's now gone. We're now 100 percent LDAP for the Open Directory Masters. We have a Password Server running fine, we have our KDC running fine, our home directories are there, wikis have migrated over, mails have been migrated over.

And regardless of our path, and I can't stress this enough, we did a plain vanilla. We did it live again because the slides are static. It's not as much fun, you don't set on your edge of your seat waiting for us to fail so you can take a photo and post it to fail blog. Now that's not how it works.

So, if you have these customized files, you really need to remember where they are and back them up. Generally, the problems that we see, some in system admin has come in, changed something very minor in a configuration file, didn't write it down, didn't tell anybody, forgot about it, may have moved on if they are consultant or whatever, somebody else upgrades it and they have a problem, OK.

So, what do you do? Well, you attend this session. Back up at least once, set up a private test environment, right, test the upgrade, test the migration, test them on the server, test them with the clients, OK. And like I said at the beginning, it's not and it's never been a totally error free process. But Apple engineers have worked very, very hard to make it as smooth as possible.

And while the GUI has the Migration Assistant in it and that's great and it's really easy, our job was to show you the behind the scenes, OK. So, what other sessions, if you have attended them or you can get them on iTunes, right, when they come out, and the Directory Services lab which was earlier today. For more information, you can get a hold of Mark, get a hold of one of us.